More scripts to be released?

Philip Linden said:


I'd just like to warn that if your source-code was not one of those "open sourced," do not be complacent. It looks like actually scripts from more than 13 objects were taken. In fact, it seems that two more sets of scripts were released sometime this evening (Skylark and Slipstream). There is talk that the hacker will release more scripts.

I think what this hack has taught us is that we cannot rely on the in-game permissions to guarantee that our code cannot be seen. In the end, every scripter -- especially those with scripts that deal with other people's money -- should take a second look at their code and try to make sure your scripts are secure.

Tonight the individual responsible for the script leak appeared in #secondlife on efnet. He reported that a portion of the originally-leaked source code was removed from the zip file. It was replaced with another, previously-unleaked piece of source code.

This guy is a real nozzle.

Yep, but I can't say anything else or I'll get in trouble from the lindens. I talked to him though, he seems pretty cool... :-X

Agreed. Definitely a nozzle.

~Ulrika~

:-X

Yeah he seems like a wonderful guy - I can see why you would think he is cool.

No, his personallity, NOT actions!

His actions ARE his personality. "Nozzle" indeed.

Good lord! I just received information that not even I could post. I want to squeal like a piggy but I can't. Let's hope this is all resolved soon. :-X

~Ulrika~

Personally I am not confident that the server-side issues are patched. There are a number of things about this whole incident, and not just the leak, that are very puzzling to me.

My advice to SL scripters is this:

1. Whatever scripts are in whatever you've sold may still be in danger. Personally I suspect they are, regardless of the patched client, for reasons I will not discuss here or in private. I'd rather not say anything about it at all, but I feel others have a right to know.
   
   
2. If you have anything rezzed right now - something you're working on, but haven't sold or given to anyone yet - and you would like to protect it, my advice is to take it into your inventory for the time being.

Trust me, you have reason to worry... :-X

Excellent advice. One can never be to sure until things calm down, especially with high-value assets.

~Ulrika~

He seems pretty cool? Are you a complete moron?

Woo! I love trolls! If only I was allowed to say more about this. *sigh*

Personally, I hope someone thinks to file a 'John Doe' action and obtain the information needed to take legal action. Not only would be be a industry-rocking precedent when resolved, it would deliver an obviously much needed lesson in reality to the pitiful hack who decided this was a good way to 'get attention'.

Who knows, maybe they'll Mitnick him.

Well, the one big thing I'm working on now is actually in my KI attatchment for testing. Everything else (of mine) I'm not worried about.

But I may consider taking the Money Tree and Visitor Counter down for now...

I think a better term would be *fuckwad*.

Fuckwad sounds like something you'd put *in* a nozzle.

I understand your point, Cienna, but in doing so would open up an even bigger can of worms for the trademark/copyright infringements that are happening in world as well. Not saying they are right or wrong, but it could have a ripple effect that would have major drawbacks for the open environment we all enjoy now.

Nimrod, you think the guy is cool...so your name is not a mistake then, no?

OK, I have been following this from the sidelines up until now. What, if any specific information, has been released about the Money Tree code? And, let's not beat around the bush if all in game scripts are still at risk. What first hand facts do you have? Withholding information now, that may help some of us head off exploits that may impact others, is a bad thing. If you feel you need to share it privately, fine. But don't allow the problem to worsen by hiding the facts. This goes for the Lindens too. I have built in security features I can activate if I feel that this code is at risk of doing harm. But I need facts to work from.

As far as money tree owner's go: I have no information that the code has been compromised. Additionally, I feel that even if it were - it would not allow for direct monetary exploit. I will update you if I get any hard facts.

So why don't you say more about this to the Lindens, to help them resolve this? Or is it just more fun to play the "hahah I know stuff that you don't know" game and talk about how kewl the loser who did this is?

Ok, despite the fact that how one person gets their jollies is their own thing, the fact that he not only managed to reverse-engineer a piece of software to gain admin access to the system, but also managed to make off with untold amounts of resources does not make him or his group losers.

Yeah, my morale side thinks it's a horrible thing, but my geek side just keeps saying "Man, that was a cool hack."

Nimrod, either post something if you know something or shut the F up.

I cant imagine who could possibly be preventing you from posting what you know, *IF* you know anything.

Full disclosure or dont waste our time. A subject like this is too serious for anything else.

My geek side thinks it is a waste of technical brilliance to do nothing but hurt people. The destructiveness of hacking is nothing to glorify or admire. The actions of this person or group of people may have gotten their little dicks all hard, but the end result is they pissed all over the work of others that they had no right to. The destructiveness of posting the source code of those scripts to the web absolutely makes them complete and utter losers. To draw an extreme parallel, the coordinated attacks on 9/11 were spectacular from a purely strategic angle - it doesn't make the people who did so any less monstrous because of their amazing skills.

Hmmm..all getting more serious is it ?

I better go collect those prototypes.

Is it getting time to start planning how our whole system would survive on open-source non-linden servers in the future? Script encryption ? Creator authorising chosen servers to decrypt and run? Auto expiry, or manual revoking? Auto verification of server code, with script refusing to open unless server code is trustworthy and honors the rules? A licensing authority for the server code ? A pgp-like web of trust ?

Some of you must know about how this could be done. Such problems must surely have been solved in other spheres. I expect it is a major concern of the team working on that opensource metaverse project. If anyone wants to discuss, probably needs a new thread.